Lessons Learned: Issues Exposed in the Aftermath of the Hewlett-Packard Debacle

‘What began as an investigation with the best intentions has ended up turning in a direction we could not possibly have anticipated.’ Mark Hurd, CEO Hewlett-Packard.

On Sept. 5, 2006, Newsweek published a story about Hewlett-Packard’s Chairman Patricia Dunn’s use of a private investigation firm to locate the source of leaks of confidential corporate information. As the story unfolded, the public learned the following: After confidential information appeared in news publications in 2005, certain officers and certain members of the board of directors of Hewlett-Packard (‘HP’) authorized the launch of two investigations, the first in 2005, and the next in 2006, to locate the source of the information leaks. The basis for the investigations was that the information leaked to the press was known only to board members. Certain officers and directors collectively comprised the ‘HP investigation team’ in the secret investigation of the leaks to the media. In devising its plan, the HP investigation team sought the assistance of a top investigator, Ron DeLia, head of Security OutSourcing Solutions, Inc. (‘SOS’), with whom Hewlett-Packard previously had worked on unrelated matters. DeLia allegedly encouraged the HP investigation team to use pretexting or ‘social engineering’ to obtain private cell phone and phone records of certain targeted individuals, among other things.

Pretexting is the act of creating and using an invented scenario to obtain information from or about a target, usually over the telephone. It usually involves some prior research and the use of pieces of known information (eg, mother’s maiden name, birthday, Social Security Number) to convince the target company that the individual seeking the information is, in fact, the legitimate owner of the information. Misrepresenting anything about oneself in order to improperly obtain another’s information is, by definition, pretexting.

According to reports, SOS asserted that the techniques being used in the investigation were legal. SOS’s legal counsel apparently provided assurances in the form of a ‘legal opinion’ that the actions being taken were legal. Kevin Hunsaker, senior counsel at Hewlett-Packard, relying upon SOS’s representations and the ‘legal opinion,’ relayed these assurances to general counsel and the HP investigation team, of which he was a member. Other members of the HP investigation team have said that they had the clear impression from DeLia that the records he intended to obtain could be obtained legally from publicly available sources. SOS’s continuing investigation into the media leaks included the use of pretexting to gain personal and confidential information about certain of Hewlett-Packard’s directors and employees, as well as unaffiliated members of the press.

In March 2006, SOS issued a draft report that identified the potential source of the leak and provided an outline of the techniques that had been used in conducting the investigation. That outline specifically identified pretexting as one of the techniques employed to obtain information. Other techniques included physical surveillance and other questionable techniques, including the deployment of an e-mail tracer program attached to a bogus e-mail delivered to a reporter. Had the reporter activated the tracer, it would have allowed the private investigator and the HP investigation team to trace his or her IP address. There was also discussion of sending a spyware/keystroke logger program as an e-mail attachment. Had that program been delivered and launched inadvertently by the re-porter, SOS and the HP investigation team would have been able to capture every keystroke on the reporter’s computer. SOS’s draft report also allegedly contains some assurances that all of the techniques utilized were legal.

The targets of the investigation included at least two Hewlett-Packard employees, several former and current members of the board of directors, several of those persons’ family members, at least nine journalists at various news publications and, in some cases, those journalists’ spouses and other family members. Several publications have reported that SOS or others under its direction attempted to obtain phone records for Hewlett-Packard’s former CEO Carly Fiorina and Hewlett-Packard’s outside counsel Larry Sonsini. It is not clear at this point whether those records were obtained or whether pretexting was utilized in the attempt to obtain the records.

Pretexting and the Law

Private investigators have used pretexting for years, often to trick a business into disclosing its customers’ information. Private investigators thereby obtain telephone records, banking records, credit card records, and other confidential information from the company by posing as the owner of the account. Most U.S. companies still authenticate a client by asking for a Social Security Number, birthday, or mother’s maiden name (think about the last time you opened an account with a password), all of which are easily obtained by a third party. This makes it extremely easy for a third party or private investigator to obtain personal information.

In 1999, the Gramm-Leach-Bliley Act (‘GLB’) was signed into law. 15 USC ”6821-827, Fraudulent Access to Financial Information. The GLB makes pretexting to obtain bank records an illegal act punishable under federal law. The GLB prohibits ‘pretexting,’ or the use of false pretenses, including fraudulent statements and impersonation, to obtain consumers’ personal financial information, such as bank balances. The GLB in part provides as follows:

Sec. 6821. Privacy protection for customer information of financial institutions.